Serena Raymond
June 16, 2020 in
Security

What is Domain Greylisting?

You’ve trained your team to ignore phishing emails, you’ve doubled down on IT security, and you view downloadable attachments with suspicion. It’s a dangerous e-world out there, after all. 

You might not be aware, however, of the fact that you can risk your computer’s security simply by visiting a website. Malicious websites abound. Some such sites run malware, undetected, in the background of an otherwise legitimate-looking page. Others pose as well-known organizations and request personal information or action on your part. 

For example, more than 150,000 malicious domains operating under the guise of COVID-19 relief and awareness have been registered since December 2019, according to the Head of Threat Intelligence at Skurio. Cyber criminals have used these domains to solicit donations to the American Red Cross, while other phishers pose as government websites to obtain personal information. 

There comes a time when generic IT risk education won’t be enough to protect you from clever cyber criminals. Tools and protocols for identifying malicious websites exist, but none can match pace with the volume of new domain registrations. This is where domain greylisting comes into play.

What is domain greylisting?

You’ve heard of blacklisting: compiling sites (that are known 100 percent to be misleading or dangerous) and blocking them. Whitelisting creates a “safe” list of trustworthy websites.

Domain greylisting is the method of addressing those sites which have not yet been categorized as “safe” or “malicious.” Domain greylisting temporarily denies access to an unknown domain, usually for a dedicated period of time. This means users will need to attempt to access the site later. Most spammers only try to drive traffic to bad domains once, so this act of requiring an additional attempt filters out many malicious domains.

This concept is worth exploring. Greylisting works so well because it operates under the assumption that malicious actors aren’t persistent. We see this in phishing scams all the time. Phishing attacks are, by their nature, low effort. All a criminal needs to do is come up with a just-clever-enough ruse that someone, somewhere falls for. Phishers often cast a wide net in the hopes that they catch a few unsuspecting victims. 

And yes, many of their attempts get filtered through spam detectors, but enough slip through the cracks to make it worth their while. These scammers don’t develop more complex methods that would re-attempt if they first got denied. By adding a simple road block, greylisting’s temporary denial of access, you’ve protected yourself.

What can domain greylisting do?

Let’s look at the numbers. In the first quarter of 2020, 4.5 million new domains were registered, at a rate of about 50,000 per day. Not all of these new domains are legitimate. A recent report found that, on average, 1,767 malicious COVID-19-themed domains alone were being created every day, a figure that doesn’t even include findings from non-pandemic-themed sites.

Domain greylisting prevents access to newly created websites, since not enough data has been compiled to determine its whitelist-or-blacklist status. It also safeguards against Zero-Day attacks and questionable new content.

Web browsers are a significant target for cyber criminals, thanks to their extensive usage. When hackers embed malware that exploits a browser’s un-patched vulnerabilities, anyone who visits the website from this browser can be infected. By preventing access to this domain, your computer is spared.

Why is domain greylisting important?

Sometimes, not seeing a new site is a good thing. Deceptive sites can have devastating consequences on your business. If you download the wrong software or upload sensitive data to the wrong party, it can be costly.

For example, an entity masquerading as a trusted business partner duped real estate mogul Barbara Corcoran out of $400,000 in a simple, singular phishing attack.

On a larger scale, some attackers are taking advantage of Amazon Web Services (AWS) to steal credentials and sensitive data. They create malicious websites that look identical to the real AWS login page. AWS has millions of customers across the globe, including the U.S. military, so these false web pages could potentially wreak havoc and compromise national security.

The FBI reports that more than $26 billion was lost to phishing scams between 2016 and 2019. Roughly 84 percent of SMBs were targeted by phishing attacks in 2018 alone.

It should also be noted that domain greylisting has a minimal impact on legitimate sites. At DNSFilter, we greylist new domains for 30 days. It is very rare that someone purchases a domain and begins to point traffic to it immediately. Time is required to design and set up the backend of the site before it’s ready for public consumption. This 30-day period is enough time for legitimate domains to get up-and-running and malicious domains to be taken down or found out to begin with.

Conclusion

Malicious domains and phishing sites are costly and all too common. According to a 2020 mobile threat landscape report, a new phishing site launches every 20 seconds. With new domains popping up each and every day, the speed and volume make it impossible to blacklist every new bad domain that’s created.

That’s where domain greylisting comes in: greylisting protocol will temporarily block access.

DNSFilter offers protective solutions that, among other things, use domain greylisting to keep your business safe. If our DNS software deems a domain to be a phishing website, it will automatically keep you from visiting the page. What’s more, all newly registered domains are blocked for 30 days for your protection because when you surf the web, you shouldn’t have to fear the malicious undertow.


Just Released! Full Active Directory Support. Watch Webinar